I'm trying to figure out how to do roles/permissions in our application, and I am wondering if anyone knows of a good place to get a list of different permission-based authorization systems (preferably with code samples) and perhaps a list of pros/cons for each method.

I've seen examples using simple dictionaries, custom attributes, claims-based authorization, and custom frameworks, but I can't find a simple explanation of when to use one over another and what the pros/cons are to using each method. (I'm sure there's other ways than the ones I've listed....)

I have never done anything complex with permissions/authorization before, so all of this seems a little overwhelming to me and I'm having trouble figuring out what what is useful information that I can use and what isn't.

What I DO know is that this is for a Windows environment using C#/WPF and WCF services. Some permission checks are done on the WCF service and some on the client. Some are business rules, some are authorization checks, and others are UI-related (such as what forms a user can see). They can be very generic like boolean or numeric values, or they can be more complex such as a range of values or a list of database items to be checked/unchecked.

Permissions can be set on the group-level, user-level, branch-level, or a custom level, so I do not want to use role-based authorization. Users can be in multiple groups, and users with the appropriate authorization are in charge of creating/maintaining these groups. It is not uncommon for new groups to be created, so they can't be hard-coded.

There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs.
If this question can be reworded to fit the rules in the help center, please edit the question.

Can you define "system"? Are you looking for a complete top-to-bottom system, i.e. that integrates with Active Directory or has its own administration tools for managing everything? The .NET Framework already has a ton of this functionality built into the Identity Model - it's all based on claims and claim sets.
–
AaronaughtApr 29 '11 at 18:48

@Aaronaught Anything... it could be a third-party library for permissions-based authorization, or it could be a simple explanation how how to build one and how/why it works. I'd prefer to know how something is built and why it is built that way. I'm just lost as to where to start, or how to build it.
–
RachelApr 29 '11 at 18:51

Well, for WCF, you really should check out that link and that whole area of MSDN; I'm loath to submit such a trite statement as an answer but that really is all you need. You set up a ServiceAuthorizationBehavior, which presents a ServiceAuthorizationManager, which has access to the policies and gets to validate every OperationContext before the operation executes.
–
AaronaughtApr 29 '11 at 18:56

2 Answers
2

We had UI level Authorization implemented at control level. we had the authorization control level details for each view stored in DB, during run time the base class was doing the heavy lifting in deciding which user can see/ use which control on the rendered form. We had a constraint of not using any third party library..

Rhino looks like it can only be used with NHibernate, and I am using EntityFramework. Is this correct?
–
RachelApr 29 '11 at 18:49

As it is currently implemented, it does depend on NHibernate. However, it can certainly provide as an example and Ayende's blog posts can lend insight into the decisions that go into designing an authorization component.
–
qesApr 29 '11 at 19:44

You did after all ask for examples and sample code and discussion of pros/cons, rather than asking for a ready-to-roll component that can be plugged directly in with EF.
–
qesApr 29 '11 at 19:46